-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Design: Where to put timestamps in envelope? #33
Comments
I don't think it needs to be in the signature envelope itself. It could be part of the signed content, but looking forward to objections here. |
I don't think putting it in the signed content itself would work - what we really need is proof that the signature was created during the validity window of the key, not the signed content. So we have something like: Bob signs Payload A with Key A, getting Signature A. This way we have independent, non-repudiatable proof that the signature existed before a specific time (typically the key expiry) |
Yes, this makes sense. |
Dan, could you write a brief concrete proposal on how that would work in practice? It sounds like this wouldn't be just a timestamp but rather a single field containing both timestamp and signature. Are there any standards or conventions for how this is conveyed? Do different timestamp authorities use different ones? |
There's a standard that contains both the timestamp and signature together defined in rfc3161. There are alternates such as https://github.com/cyborch/tsa-json, that also do the same thing. I think the simplest would be add a new, optional field to the "signature" type to contain this, and treat it as an opaque byte string. |
Do you also need a type to indicate how to interpret it? And either way, this does not affect the signature itself (i.e. the PAE), correct? |
We don't have a type on the sig field, so I don't think we would need a type here either: https://github.com/secure-systems-lab/signing-spec/blob/master/envelope.proto#L29 I'd be fine either way. And correct - this does not affect the PAE layer. |
So basically we'd say that |
Mark, this is not clear to me. Could you elaborate?
Dan, do you mean sticking the timeserver-signed H(timestamp|signature) alongside the original signature? |
My idea would basically be this modification, applied here: https://github.com/secure-systems-lab/signing-spec/blob/master/envelope.proto#L26 message Signature {
// Signature itself. (In JSON, this is encoded as base64.)
// REQUIRED.
bytes sig = 1;
// *Unauthenticated* hint identifying which public key was used.
// OPTIONAL.
string keyid = 2;
// *Separately authenticated* timestamp attesting to when the sig itself occurred.
// OPTIONAL.
bytes timestamp = 3;
} |
Good: this is what I had in mind also. I don't think the keyid could be multiplexed for this, but i might have misunderstood Mark's proposal. |
Yeah, I'm not sure I understand that part either. |
To confirm, this is not blocking #37 because the timestamp does not appear in the PAE, correct? Sorry for the confusion around A few other questions:
|
Whoops, wrong button. |
Good questions. I don't think these crucial information (perhaps even part of the signed metadata) should be implicitly tied to the |
In my understanding, we can put As defined in RFC3161, we can extract the One is to set |
@shizhMSFT that all matches my understanding. There are a few other timestamp formats we're investigating too. Cc @asraa can give the latest updates there. |
So it sounds like the consensus is to add a single If so, I'll send out a PR to add such a field. |
I'm in no huge particular rush on this one, so if we want to leave this open to bake a little more that's fine with me. |
Sounds good. It might also be good to start with an implementation before changing the spec. |
Yeah. Seems like it. Agreed that TimeStampToken for an RFC 3161 would match this. Other signature formats we're exploring based on signed notes would include the same information as this, including at least a reference to a certificate chain to use for verification. Even then you would need a root CA to provide out of band to verify the chain against, so yes, I think you will need to agree on at least one thing to trust out of band. |
We extended DSSE to support timestamps. The timestamp is a counter signature to the signature on the data. Here is our implementation: https://github.com/testifysec/go-witness/blob/main/dsse/dsse.go#L56 We would like to upstream this |
Some signing schemes, particularly around artifacts and metadata, rely on timestamp authorities to attest to when a signature was produced. (JARs and Authenticode are examples of this in the wild today).
In this case, the keyID and signature are no longer enough to actually verify that a signature is correct. We have to also check that the signature was produced during the validity window for that key. I think it might make sense to add a field for this somewhere in the envelope.
The text was updated successfully, but these errors were encountered: